W3C home > Mailing lists > Public > public-tracking@w3.org > March 2012

Re: Parties and First Party vs. Third Party (ISSUE-10)

From: Rigo Wenning <rigo@w3.org>
Date: Thu, 15 Mar 2012 17:29:28 +0100
To: public-tracking@w3.org
Cc: Sean Harvey <sharvey@google.com>, Jonathan Mayer <jmayer@stanford.edu>
Message-ID: <1537681.EgB95VrTh0@hegel.sophia.w3.org>
On Wednesday 14 March 2012 00:13:47 Sean Harvey wrote:
> Easy discoverability was the main
> issue to my knowledge.

In this case, look at the P3P 1.1 protocol that defined exactly this. 
http://www.w3.org/TR/P3P11/#oho

I think this part of the P3P 1.1 Specification is from Matthias and Jack 
Humphrey

In this case, we would not make a definition, but a file-format to allow for 
assertions. As assertions can be wrong and as voluntarily wrong assertions are 
called lies, there is some vulnerability involved in that approach. It also 
makes the system heavier, because we need yet more round trips. 

Coming from P3P, I guess the best we could do is a response header where a 
party asserts what it believes it is. And leave the definition of "same legal 
entity" to the legal system. Because I don't know if "affiliate" is the right 
term as it extends to all contractual relationships. 

This would also do partly the trick of harmonization EU/US required by Chris, 
as the quality of data controller is "the natural or legal person, public 
authority, agency or any other body which alone or jointly with others 
determines the purposes and means of the processing of personal data; "

This concept is somewhat debated at the moment in the EU because everyone of 
us is a data controller to a certain extend because we have deal with personal 
data of others all the time. And this puts too much burden on ordinary people. 
But for what we try to define here, I think legally, it does the trick. For 
transatlantic reasons, I would not copy the EU definition, but rather define 
the first party to be "the legal entity" having factual control over the 
service the user believes she is interacting with. 

As Amy said in Brussels, and I confirm, lawyers have a pretty precise idea 
about what is still the same person (legal or natural) and what is not. Re-
inventing it is a bit too much IMHO. Note that this also may contain naughty 
surprises for advertisers as managers love to outsource and buy-back-in all 
kinds of parts of companies. And that can be a stepping stone, because the 
front-ends won't change operations. 

But I confess that I haven't read the paper from Jonathan and Tom yet, so we 
may need additional safeguards. The legal entity approach fails somewhat for 
super-mega-large companies and governments. As one government is one legal 
entity.. Again, we do not have to re-invent data protection here, but I have 
to take the time to read Jonathan's and Tom's paper. URI?

Best,

Rigo
Received on Thursday, 15 March 2012 16:29:59 UTC

This archive was generated by hypermail 2.3.1 : Friday, 21 June 2013 10:11:26 UTC